As members of the Fusion Middleware Architecture Group (a.k.a the A-Team), we get exposed to a wide range of challenging technical issues around security and Oracle Fusion Middleware. We're using this blog to answer common questions and provide interesting solutions to the real-world scenarios that our customers encounter every day.
NOTICE: All our post and much more can now be found at http://www.ateam-oracle.com/category/identity-management/

Tuesday, March 29, 2011

Index to the Oracle Access Manager Series from the Fusion Security Blog Team

OAM 11g was released last summer and constitutes a major upgrade/rewrite of OAM, which happens to be one of the more popular Oracle IAM products. Our goal with this series is to help everyone attempting to use and deploy the product at various stages by explaining major OAM 11g concepts, making architectural recommendations, pointing out potential pain points, and walking you through common yet non-trivial tasks such as setting up authentication to an external custom login form.

In the last post here we pointed to Olaf's blog on integrating your ADF app with OAM. That post covers taking an ADF app that was protected with Forms auth and switching it over to be protected in its entirety by OAM. In other words to access any part of the app you have to log into OAM. Once you're logged in to OAM you access the app and OAM sends your identity down.

But what if you want to let users access part of the app anonymously, but require them to log in to access some of the apps features? I don't know what anyone else calls this sort of flow, but I call it the shopping cart model (browse around tossing stuff in your card, then sign in to check out).

I recently wired this flow up in an ADF application (I started with Olaf's sample app). All in all it was pretty easy once I got everything setup, but I couldn't find any docs spelling the process out step by step. So without further ado...

This is what Olaf's app looks like before you login:

When you click on the Action menu there's one option - "Login". If you look at the source you'll see that this triggers a pop-up for you to enter your credentials:

Our friend from Europe, Olaf Heimburger, has written a couple good blog posts on integrating OAM 11g with Oracle Forms. In the 2nd post he’s thrown in a little about OAM/ADF integration (though there is more to cover on that subject).

Wednesday, March 23, 2011

Connecting to an LDAP ID store in OAM 11g over SSL (LDAPS) is a common scenario that many customers may need to implement. Unfortunately the documentation on this subject is scant and can be misleading. So as part of the OAM 11g Academy series, I'd like to discuss this commom scenario. To view the first post on the OAM 11g policy model, as well as the index to the entire OAM 11g Academy series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html.

The documentation to manage data sources can be found in Chapter 3. The section titled "Managing User Identity Store and OAM Administration Registration" describes how to register a new identity store. Specifically, Table 3-2 describes all the possible elements required to register. Looking at the 'LDAP URL' element we have the following:

Fortunately the solution is pretty simple and has two parts. First, OAM now uses the Java Key Store (JKS) format to store the certificates keys. OAM uses the JKS file 'cacerts' located at "$JAVA_HOME/lib/security/cacerts". This is where the certificate needs to be imported into. Secondly, make sure that the right certificate is imported via the keytool. For more information on how to use the keytool, you can go here. You will need to import the server certificate along with the CA Root cerficate into the keystore. Many customers make the mistake of importing only the CA Root certificate.

So to summarize, the two issues to be aware of are:

1) The difference from 10g, is that 11g now uses the default 'cacerts' location based on the $JAVA_HOME directory.

2) Make sure that both the CA Root certificarte and the server certificate (child) are imported into the keystore.

In this post I’ll cover the OAM 11g concept of resources. The documentation does a reasonably thorough job of covering resources. Again though, in the interest of cutting through the clutter, I’ve compiled a list what I think are the most important points in understanding resources and OAM 11g:

A resource is composed of a host identifier + URI expression. When a user makes a request it is normalized by OAM into an internal representation of the request consisting of a host identifier and URI; the query string is discarded. This internal representation of the request is then compared to the host ID + URL patterns of the resources you have defined. If there is a match then policies will be evaluated based on that resource.

OAM 11g does not consider the query string when trying to match a request up to a resource

If a request fails to match up with any of the defined resources then a failure is returned by the OAM server. With 11g webgates this always means that the request will be blocked. With 10g webgates the behavior is controlled by the “denyOnNotProtected” setting. If set to true then the request will be blocked. If set to false, then anonymous access will be granted and the request will be let through the webgate.

A request will be matched to one and only one OAM resource.

The algorithm used to decide what resource the request will be matched to in the event that more than one URL pattern match the URL in the request is a "best match" algorithm. We’ll go into more detail on this later in the post.

A resource can be in no more than one authentication policy and no more than one authorization policy.

Defining Resources and Understanding the OAM Matching Algorithm

As I mentioned earlier, I think the OAM documentation on resources does a pretty good job but let me expand on it a little bit and try to clarify a few things.

A resource is composed of three parts: the resource type (this posts only covers HTTP type resources), a host identifier, and a resource URL. The resource URL mirrors the URI portion of the request URL which is the part of the URL after the server name (including the / following the server name) and before the query string (the query string is the ?). I wish they had named this the resource URI but what can you do. The resource URL can contain two special character sequences with special meaning ‘…’ and ‘*’. We’ll cover these special characters in a bit.

When you create a resource you do so within an Application Domain. That resource can then become a part of one authentication and one authorization policy inside that Application Domain. Even though this resource is scoped to an Application Domain, you cannot define the same resource (host identifier + resource URL) in another Application Domain.

Now we’ll finally get to the special characters ‘…’ and ‘*’. * (asterisk) can only be used in the last level of the “path” and by this we mean after the final / in the URI. It can be used in two ways: as the last character in the resource URL or preceding a file extension (.jsp, .html, .gif etc).

The * (Asterisk)

When * is used as the last character in the resource URL it matches any string of 0 or more characters that does not contain a ‘/’ (slash). In other words * when used in this way matches any resource that does not go another level deep.

For example, the resource /foo/* will match /foo/index.html and /foo/helloworld but not /foo/bar/hello.jsp.

The other use of the * is preceding a file extension. Let’s say you want to make all the images in a particular webapp open to anonymous access so that they can be linked to from other apps without requiring authentication to OAM. Just create a /app/*.gif resource and throw it into public authentication and authorization policies.

The … (Ellipsis)

The three periods (called an ellipsis) matches any sequence of one or more characters that starts and ends with the forward slash character ‘/’. It is used for creating resource objects that cover multiple “directory” or “realm” levels. The ellipsis can be used only once in a resource URL.

Now the documentation says that the ellipsis matches any sequence of one or more characters that starts and ends with the forward slash but my observation is that it also matches a single forward slash. So, /…/ will match ‘/’. ‘/index.html’, and ‘/foo/bar/help.jsp’

Most of the time you will be adding an asterisk together will the ellipsis. To create resources that match every request under a given context root (directory).

So, let’s say you have an application that handles procurement for your company that is deployed under the context root /procurement. You might create a resource /procurement/…/* that will match all requests under ‘/procurement/’.

Best Match

So, let’s say you have multiple resources that might match a given request. An example of this would be having ‘/…/*’, ‘/somedir/*’, and ‘/somedir/*.jsp’ defined as resources and having request scome in for ‘/somedir/index.html’ and ‘/somedir/hello.jsp’.

OAM uses a “best fit” algorithm to determine which resource the request will be matched with; which is to say, it will pick the resource that contains the most amount of specific characters that match the URI of the request or put another way, the resource that has the least amount of characters in the request matching a wild card expression in the resource.

In our example /somedir/index.html will match with ‘/somedir/*’ and /somedir/hello.jsp will match with ‘/somedir/*.jsp’.

If this confuses you or if you are debugging a policy where you think the request is matching a resource different from the one you expect you can see what resource a request was matched with in 2 ways:

Look at the logs. Filter at the notification level for the word “protected”. Look for the “Called isResourceProtected ()” message that contains the request you want to examine. Then look for the next “Returning from isResourceProtected()” message which contains the resource your request was matched with.

You can configure a response that will create a header containing the resource (host ID and resource URL) your request was matched with. You can then examine this header in your application code. We’ll talk more about responses in a future post but the value for this response is $request.policy_res

Monday, March 14, 2011

Following up with the postings about extending UCM’s security model with OES, I decided to create this post to complete the picture about how to actually configure the policies in OES to protect UCM resources in a scalable fashion. The initial posts cover how to modify and configure the JavaAPIExample-with-custom-classloader Java SSM to integrate OES to UCM via a custom component developed as a filter in UCM. That on its own is tremendously valuable, however, once that is accomplished, how can we take advantage of it?Customers have a large variety of requirements suiting their particular business needs when it comes to managing corporate content. UCM provides a great deal of flexibility for companies to store, categorize and manage their documents and content in general. OES has also a lot of flexibility when providing sophisticated security schemes to control access to that content. However, if we are not careful making the right decisions, the actual solution may not live up to the task at hand and may be more disappointing than anything else.

OES certainly supports protecting URL’s like for Web Applications. UCM can potentially represent content via URL’s, however, representing all document URL’s as OES resources would be impractical to say the least, and totally unmanageable for large amounts of content, which is definitely the case for big corporations.Recently, I had the opportunity to reassemble the OES-UCM integration for a POC in EMEA. During the engagement, I realized that most customers, not only in that region but pretty much in general, use Accounts in UCM. One specific requirement of this POC was to be able to simplify how the relationships between documents are accounts are maintained without having to touch every single document. So the intent here is to describe a potential solution to this problem which could be recommended to customers and doesn’t necessarily represent what real customers currently have in place.

Overview

First of all, let’s do a quick overview of the integration’s architecture to have an initial picture of what we have at our disposal to tackle this problem.For starters, on the UCM side a custom component implementing UCM’s filter interfaces is required to tie OES into UCM’s hooks for custom integrations. Part of this component would be an OES API Wrapper object that will provide the UCM components with a mechanism to call out to OES when the events invoking the custom component are triggered. The following diagram shows the basic architecture of the integration:

Fig. 1 – Basic Integration Architecture UCM-OES.

As described in previous posts the configuration of the java-ssm instance part of the integration as shown above is embedded into UCM via the intradoc.cfg configuration file. So the flow is basically like follows:

3. UCM generates events from the user’s activity and invokes the subscribed components for each triggered event.

4. The ucmoes component is invoked and it processes the event extracting all the metadata for the document along with the security context of the user trying to access the content. All this is transferred to OES via the OESAPIWrapperImpl object part of the ucmoes component implementation.

5. OES asserts the identity of the user, extracts all attributes that need to be retrieved if any, evaluates policies (role policies, authorization policies) according to how things are configured in OES server, and determines if the user is allowed or not access to the requested resource.

There’s nothing really fancy up to this point, right? Now let’s pay closer attention to some other aspects that are also part of the functionality offered by OES which can be very useful to UCM.

Attribute Retrievers

One of the most powerful capabilities of OES is the fact that OES can virtually extract information from anywhere. This is possible using attribute retrievers. OES comes packed with out of the box attribute retrievers for the most common repository types (LDAP, DBMS) and if that is not enough, you can easily create your own custom attribute retriever.The attribute retrievers are specially useful for the purposes of dynamic business logic evaluation impacting authorization decisions.

Evaluation Functions

The concept of evaluation functions is also very powerful. Basically, evaluation functions can be used to extract the contents of attributes coming from the request made from UCM into OES (in this case all the content’s associated metadata) and perform custom evaluation of that data to determine a true or false response, which in turn can be used in role mapping and/or authorization policies. The format in which parameters are passed to evaluation functions is very flexible; pretty much there are no restrictions on the number of arguments passed to the evaluation function as long as the evaluation function’s code knows how to deal with the values being passed in.For our purposes, evaluation functions are a key piece of the puzzle, and you’ll know why soon.

Requirements and Solutions

Here comes the fun part. According to the requirements expressed by some customers, the use of accounts to control access to content is very common. I can see why using accounts provides a lot of flexibility within UCM to increase the granularity of the security model enforced on top of content. The key point here is to maintain the Account’s Hierarchy fairly stable and unchanged. Now UCM ties users to accounts giving permissions to users over the accounts. This restricts even further what users can do with certain content despite the privileges assigned to the security group controlling access to the content. Accounts supersede the permissions granted by Security Groups which means only the privileges granted by both the Account and the Security Group will be made part of the user’s privileges. This may sound a little confusing but it is actually very simple. In other words, the intersection of the two sets of permissions (Account and Security Group) is what permissions the user will ultimately have.UCM has all the facilities to configure these relationships, so what value is added by OES? Well, OES can enrich the semantics of what it actually means to be part of the account and with what privileges. UCM has just direct assignment of users into HRDocAdmin account and with specific permissions. OES on the other hand can actually say: “The user is a member of the HRDocAdmin account if he belongs to the HR Director’s department and has the title ‘HR Auditor’ but only until March 2011”. The way OES policies are specified allow for a more comprehensive analysis of the user’s attributes along with present circumstances external to the user’s profile to determine if a user is part of the account and with what privileges. In other words, OES makes it possible to express the relationship between users and account in a more dynamic fashion.Going back to the requirements, I am going to present a possible solution to the requirements of using a hierarchy of accounts to protect content and use OES as the engine to determine user access to accounts and therefore to their respective protected resources.

For starters, I will say it is fine to associate accounts with resources but once a resource is associated to an account this bond should never change anymore. Accounts should be fixed and the privileges of users over those accounts can change, even over time; and the policies that determine that are specified in OES.

At the beginning of this article I mentioned two OES features that will help a great deal in the implementation of a solution to these requirements, Attribute Retrievers and Evaluation Functions. These elements available in OES will allow us to define policies beyond simple direct assignment of user permissions over accounts, which is available directly from UCM.

Here is the scenario:

A company is divided in 6 organizations based on location:

• North West Organization• North East Organization• North Central Organization• South West Organization• South East Organization• South Central Organization

A set of states belongs to each Organization. Each state has its own set of content items in UCM. Only people from a given state with Author or ContentAdmin roles can modify the documents that belong to that state. Other Authors/ContentAdmins in other States within the same Organization still have read access to those documents. So in other words everyone within an organization has access to the account that belongs to that organization, but the permissions over the content vary based on the state that generated the document. Needless to say, People in other organizations don’t have access to documents that don’t belong to their organization because they will have no access over the corresponding accounts. If we wanted to take this even further, we could easily design a scheme of exceptions for inter-organization access to content generated by different organizations. As a matter of fact, if the content is labeled public in an attribute called xDocExceptionStatus part of the metadata associated to the content item; then everyone has access to that document regardless of the account privileges.

To be able to implement this scenario in OES we need to have access to a few pieces of information: the Organization that created the document, the Organization that a person belongs to, the state where this person’s office is located and the dExceptionStatus of the content item to determine if the item is public or not. The attributes associated to people are retrieved using attribute retrievers that are connected to the repository where those attributes are stored. For the attributes associated to the content we will use evaluation functions, which have access to request time attributes passed as part of the context associated to the authorization request.

For the purposes of our example, all attributes describing employees are stored in LDAP, therefore, the out of the box LDAP Attribute Retriever will do. Now, the next part of the solution is custom developed, we will create an evaluation function that will determine if the user has proper permissions over a content item based on his/her organization and his/her content role.

The code listing below shows the implementation of the evaluation function that tests the value of the document’s metadata attributes against the user’s LDAP attributes.

All this function does is to extract the Attributes from the document’s metadata passed as properties from the client. It does that using the requestHandle parameter passed to the function method. Then compares the values with the ones passed as arguments to the function from the OES policy using this function. Within the policy OES passes the values of the dynamic attributes for st (State) and o (Organization) using the following constraint expression:

sys_defined(st) AND sys_defined(o) AND assertAttributes(st, o)

As shown by the expression above, only users that exist in LDAP having these attributes populated will be evaluated for access. The first two calls to sys_defined function prevent non-LDAP stored users from making it through to our evaluation function, so these users get rejected immediately. Part of the configuration would be having two dynamic attributes tied to the same LDAP attribute retriever.

By doing this we are adding a sophisticated access policy that would fit the business requirements for the accounts without the limitations from UCM policies based on simple group membership.

The deployment of the function above is described In Oracle Entitlements Server documentation and is out of scope for this document, so please refer to it if you want to try this approach.

Summary

OES can extend the security model of UCM so the semantics of access policies can be enriched to support more sophisticated authorization schemes.

The combination of Attribute Retrievers and Evaluation Functions is a very powerful mechanism to implement sophisticated access policies with very rich semantics and also a very dynamic nature if the users' data change overtime affecting their access to content stored in UCM.

This is just a sample implementation of potential requirements. It is not intended to serve as the basis of a real implementation meant to be released in production.

Thursday, March 10, 2011

I've been doing a LOT of writing recently. Unfortunately, or perhaps fortunately depending on how you feel about my writing, it's all been by email to folks inside Oracle and directly with customers. One thing I wrote that is probably interesting for readers of this blog was an answer to a customer's questions about the crypto acceleration capabilities of the Sparc processor. This is a slight rewrite of that doc...

The crypto acceleration of Sparc and Solaris when it's used for SSL acceleration is right in the sweet spot of confluence between networking, crypto, performance and architecture. In other words just about my favorite place!

Before we get into the technical bits we should probably have a common picture in our heads about what sort of architecture we're talking about. When you deploy web apps you usually have user traffic hit a load balancer which then routes the traffic to your servers. The simplest diagram of that sort of environment is the three boxes diagram - like so:

There are a bunch of different styles of VIP / Load Balancer and there are various ways to configure them. The most common ways (in no particular order) are:
1) Terminate SSL connections at VIP/load balancer
2) Terminate TCP connection at VIP/load balancer, but pass traffic through unchanged
3) Transparent load balancing via a NAT style networking device.

I've seen various names for these technologies, so I'm not going to try to assign names to them for the purposes of this post.

In the case of #1 above the connection between the VIP/LB and the back end server is usually simple, unsecured HTTP. You might use this model if the load balancer has SSL acceleration technologies (either via a hardware card or some software optimization). In the case of #2 and #3 all of the SSL work is handled by the backend server.

Solaris on Sparc offers a few ways to really boost the performance of WebLogic Server. Read on to see what they are.

Tuesday, March 8, 2011

Hi everyone, this is my first posting so I wanted to first introduce myself. My name is Vinay Kalra and I'm also part of the A-team at Oracle. I came to Oracle in 2005 as part of the Oblix acquisition that brought with it Oracle Access Manager (OAM).

The Problem:
As I was playing with OAM 11g, I came across an issue with protecting a resources using Basic Authentication. The Basic authentication dialog box did show up, however, my credentials failed. Not only that, after the first attempt, all subsequent attempts were coming from the Weblogic Server, not OAM's Basic authentication.

First attempt, notice that the site description is 'OAM 11g'.

When I entered my credentials as testuser1/welcome1 it failed and again prompted for password. Notice that the site description is now 'Weblogic Server'.

The oam sever logs revealed that it could not find the user's (testuser1) DN:

Well, first off the filter and the search base were incorrect. I had configured my user store to point to Oracle Internet Directory (OID), which had a different search base. The search base here was coming from WebLogic's embedded LDAP. Keep in mind that this worked perfectly with OAM's LDAP Authentication, which is form based authentication. So why didn't OAM Basic Authentication work??

Wednesday, March 2, 2011

I wanted to make a quick post to primarily let people know where to find bundle patches for Oracle Access Manager (OAM) and Oracle Identity Manager (OIM) patches. While I’m at it I will also cover where to find the major releases and patch sets (which are basically minor or mid-level releases) for OAM, OIM, and other Oracle IAM products.

While not entirely specific to OAM 11g, I’ll be including this post in my OAM 11g Academy Series. To view the first post in the series which will be updated throughout to contain links to the entire series, click here.

For those of you who are new to working with OAM and OIM (or Oracle products in general), patches for OAM and OIM are released in semi-regular bundles called bundle patches. These patches are easily applied using the OPATCH utility which I discussed in this previous post. For both OAM and OIM the bundle patches are cumulative. However, this is not necessarily the case for all Fusion Middleware Products or even all IAM products from Oracle.

For OAM, there is a nice article on support.oracle.com that includes the entire bundle patch history for OAM 11g, 10.3 and 10.2 with links to each patch. The article is updated with the release of every new bundle patch. So, it’s basically one stop shopping for what you need to know about patching OAM. The article number is 736372.1 and can be found by searching support.oracle.com or following this link.

For OIM, there doesn’t seem to be an exactly equivalent article but there does seem to be one or two articles per major release or patch set on bundle patches for that release which do appear to be getting updated as new patch sets come out. This includes:Article 1247564.1 includes a list of patch sets for OIM 11g that includes the issues fixed in each patch set.

Article 1275998.1 is another article containing patch sets for OIM 11g that cross references the bundle patch numbers with the actual patch numbers. There are also links on this page to equivalent articles for OIM 9.x releases.